Canada: Fintech At The Crossroads: Regulating The Revolution

Financial technology or "FinTech" -- using information and communications technology to better deliver financial services -- has undergone explosive growth in recent years. Technology spending by the Canadian financial sector is estimated to reach Cdn$14.8 billion by 2018.1 FinTech itself is nothing new, of course: from ATMs to online banking, financial institutions have been using technology to deliver services to end users for over 30 years. But what is new is the entry into the market place of the "disruptors" – both new technologies and new players – that promise to deliver a new user experience, especially to the younger demographic that grew up on smartphones and tablets.

FinTech is incredibly diverse and does not have clearly defined boundaries. It can include everything from conventional online banking to big data, peer-to-peer or marketplace lending, mobile payments, digital wallets, crowdfunding, robo-advice and applications of distributed ledger/blockchain technology. FinTech is both responding to and creating a demand for more efficient business models and a seamless user experience that may bypass traditional trusted intermediaries. Financial services once offered exclusively by bricks-and-mortar financial institutions are now being unbundled by emergent start-ups, and the traditional players are scrambling to maintain market share either alone or in partnership with dedicated FinTech firms. Both groups are using new technologies to deliver innovative financial services products directly to consumers.

As with many disruptors that encroach on areas once reserved for highly regulated industries (think Uber and airbnb) , FinTech poses many challenges to regulators struggling to strike the right balance between protecting end users and fostering innovation. The established players may argue that the new kids on the block aren't constrained by the same rules as the incumbents and may lobby regulators to level the playing field by imposing uniform regulation across the board. The new entrants may respond that regulatory compliance is costly and that too much regulation imposes unreasonable barriers to entry that protect vested interests and oligopolies and stifle competition and innovation. How much regulation is too much or too little?

In the coming years, we expect to hear heated debates around whether and how FinTech should be regulated and in particular how best to draft legislation that helps level the regulatory playing field without discouraging innovation and helps foster that innovation without sacrificing the safety and security of end users.

Issues in Regulation

One of the recurrent complaints from incumbents in this space is that FinTech start-ups are subject to less onerous regulation than traditional financial institutions, allowing the new entrants to employ faster go-to-market strategies and reach more customers. Federally regulated financial institutions, for example, must maintain minimum levels of regulatory capital and abide by a host of detailed prudential regulations that protect depositors and borrowers while FinTech start-ups face few of those constraints. The starting point for regulation is often the type of entity that provides a service rather than the service itself, meaning that two businesses offering similar services may be subject to widely different regulatory regimes. Banks that provide funds transfer services to their customers are subject to the registration and reporting requirements of the anti-money laundering legislation discussed below while services such as PayPal are not. Clearing members of Payments Canada that settle funds through the national cheque clearing system are subject to voluminous rules governing standards and finality of payment while operators of private retail payment networks such as Visa and MasterCard are governed largely by contract. A few years ago the Task Force for Payments Systems Review proposed that at the federal level all payments be regulated under a single system, without regard to the type of entity that facilitates the payment,2 and the Department of Finance more recently issued a consultation paper on the same theme.3 Should regulators take the same approach to the whole FinTech ecosystem?

FinTech regulators also face the difficult challenge of balancing the need to ensure the safety and soundness of the financial markets against the need to encourage further innovation that will allow Canadian FinTech businesses to become global competitors.

One specific area of concern is consumer and investor protection. FinTech companies are revolutionizing consumer banking and payments through alternative credit models that link lenders and borrowers directly, cut out the heavily regulated "middlemen" and apply sophisticated algorithms that can analyze the financial condition of prospective borrowers and deliver credit approvals in hours or even minutes rather than days. While this technology can speed up consumer lending, improve user experience and lower consumer costs, it raises some red flags as well. Happy with the slick and frictionless user interface, borrowing consumers may not be aware of the concerns that have been raised regarding cybersecurity and information privacy. Direct lenders may embrace the ease with which they can lend money out at attractive rates of return but not appreciate the risks of investing large sums of cash without the manifold protections mandated by securities regulations. Regulators must consider how best to guard consumer interests without stifling the innovations consumers desire.

An overview of the current regulatory landscape

There is currently no single Canadian FinTech regulator at either the federal or provincial level, nor any standard-setting technical bodies. The multidisciplinary nature of FinTech means that it is difficult to determine what should be regulated, and by whom. While there is no FinTech-specific regulation in Canada, some existing legislation does apply.

Information Security

Personal information and data security are huge concerns in the FinTech world and the growth of FinTech has significant cybersecurity implications. As FinTech products are increasingly embraced, both corporate and individual consumer financial information is at risk. Emerging tech companies are eager to jump into the financial services industry, but their security measures may be untested and insufficient. Some legislative protections do exist. Currently, businesses must comply with the federal Personal Information Protection and Electronic Documents Act or its provincial equivalents and Canada's Anti-Spam Legislation. However, some have expressed concerns that emergent FinTech companies may not be adequately equipped to deal with cybersecurity issues. The CEO of Toronto-Dominion Bank recently maintained that data breaches and solvency issues have "plagued" many new entrants, a claim hotly denied by the entrants themselves.4

Anti-Money Laundering

Canada's federal government has made significant strides in recent years to strengthen its anti-money laundering ("AML") regime in accordance with its international obligations. Because some FinTech transactions involving money transfers do not need to be made through financial institutions that are subject to AML laws, regulators have expressed some concern that such transactions could be used for money laundering without appropriate regulatory scrutiny. Some FinTech companies must comply with the registration, client identification and verification and transaction reporting requirements under the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act administered by the Financial Transactions and Reports Analysis Centre of Canada ("FINTRAC"), Canada's financial intelligence unit. Many others, however, do not fall within any of the categories of entities required to report to FINTRAC.

Consumer and Investor Protection

Due to rapid go-to-market strategies, investors and FinTech users may not receive the same amount of information and disclosure as that provided by incumbent financial institutions. However, start-ups must comply with relevant securities laws when raising capital, and with provincial consumer protection law when offering consumer-oriented products, but may be unfamiliar with the complex rules in these areas or assume that they do not apply. A FinTech starting seeking to raise capital through on-line "crowd funding" may be faced with the expensive and time consuming task of preparing a prospectus to be filed under provincial securities law unless an exemption exists. Recently, the Ontario Securities Commission has adopted Multilateral Instrument 45-108, which provides an exemption for "crowd-funding" offerings of up to $1.5 million within a 12 month period in relatively small amounts ($2,500 for each non-accredited investor, up to $10,000 per investor in a calendar year), but the eligibility requirements are complex and may necessitate bringing hundreds of shareholders on board. The Commission has also warned on-line marketplace lenders that the investments they offer to prospective lenders may be regarded as "securities" for the purpose of securities legislation and accordingly attract onerous registration and prospectus requirements unless an exemption is available.5 Currently there are no exemptions specifically tailored to on-line lending.

In addition, each province has in place detailed requirements under consumer protection legislation mandating disclosure of the cost of borrowing (such as the "annual percentage rate") for consumer loans. These requirements apply to all lenders in this sector, not just financial institutions or finance companies as such. Any on-line lender making loans to consumers would be bound by these complex laws regardless of the electronic medium.

Third-Party Outsourcing Relationships

Building in-house tech solutions is expensive, increasingly pushing financial institutions to outsource their IT functions. With this, however, comes the danger of data leaks and the difficulty of engaging with companies that lack the tools to handle information responsibly. The federal Office of the Superintendant of Financial Institutions has issued guidelines6 on outsourcing business activities and functions for federally-regulated financial institutions, which provide that the entity retains ultimate accountability.

Next Steps in Regulation

While the FinTech regulatory ecosystem is still in its infancy, it won't stay that way for long. The Canadian government will soon be fostering innovation in existing and start-up companies, while remaining cognizant of their role in providing regulatory protection to end-consumers of FinTech products. Although regulatory compliance can be costly for companies, clarifying applicable legislation and who it applies to, may be useful in long-term. Online payment methods and anti-money laundering are just two of many areas where we are likely to see–or are already seeing– considerable development.


Consumers are increasingly turning to mobile apps and online platforms to transfer funds, transforming existing payment infrastructures. In Canada, consumers are protected by provincial consumer protection laws and by the policies and business practices of the company, but in the absence of federal regulation, provinces and services providers are inconsistent in their regulation. In the retail payment space, existing rules and regulation have focused on the nature of the provider (i.e., a federally regulated financial institution is subject to different regulations than to a non-financial institution) rather than on the service provided (e.g., both entities may hold or transfer funds on behalf of consumers). In a recent consultation paper Payments Canada noted that stakeholders have called for "organization-agnostic oversight rules, applied consistently based on activity" for the payments system.7 Adopting this recommendation may provide better protection for system participants and end users through enhanced consistency of rules, regardless of the service provider.

Anti-Money Laundering

A significant consideration for financial service regulators will be enhanced protection against money laundering risk. Because FinTech companies may not be directly regulated by traditional regulators, compliance with AML legislation may be inconsistent or non-existent. Many FinTech companies do not have the infrastructure in place or the requisite expertise to adequately investigate users and trace funds. With the increasing use of platforms that facilitate payments and movements of money with more speed and greater anonymity, FinTech companies and those using financial technology will likely come under greater scrutiny to ensure that they have taken adequate steps to mitigate . money laundering risk. It is critical that financial services providers understand the extent to which they are subject to AML regulation and how to comply.

On June 17, 2016 the federal Department of Finance released amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act that were published on June 29.8 The new regulations make material changes in the areas of client identification and verification, especially for clients who are not physically present, and the adoption of electronic signatures. These changes should make processes such as on-line customer onboarding faster, more seamless and much less dependent on paper documents, thereby fostering growth and innovation in the FinTech space. By the same token, they also serve as a reminder that FinTech companies are not flying under the regulatory radar.

Alternative Approaches to Regulation and Innovation: Sandboxes and Hubs

Some jurisdictions. notably the U.K., Australia and Singapore, have implemented an innovative approach to regulating FinTech service providers that could serve as a model for similar initiatives federally and provincially in Canada, known as the "regulatory sandbox".9 In this model, qualified entrants are permitted to offer innovative products and services to a select subset of end users to allow them to test the waters without fear of regulatory sanctions. Often regulators will issue no-action letters, confirming that the rules are suspended for a specified period. Once the start-up is established, it leaves the "sandbox" and complies with the general regulatory regime in the "real world".

The U.S. Office of the Comptroller of the Currency recently issued a white paper10 supporting reasonable financial innovation based on eight core principles. The Consumer Financial Protection Bureau proposed a "no-action letter" policy that bears some similarity to the regulatory sandbox approach. In the UK, the Government Chief Scientific Advisor has issued a FinTech Futures Report that makes 10 key recommendations for government to contribute to and support the evolution of FinTech.

Another promising approach that Canadian regulators might consider to adopt more widely is the "innovation hub" that offers start-ups dedicated teams to help them navigate the regulatory landscape and obtain the necessary approvals.

These novel approaches show that regulators can do more than apply the brakes to FinTech innovation; they can also put their feet to the accelerator.


1. MaRS & Information Venture Partners, "Ten Surprising Facts about Fintech in Canada", online: (

2. See Task for the Payment Systems Review, The Way We Pay: Transforming the Canadian Payments System, available here.

3. Balancing Oversight and Innovation in the Ways We Pay: A Consultation Paper (2015), available here.

4. Barbara Schechter, " Debate over regulating fintechs heats up in Canada and the U.S", Financial Post, March 31, 2016.

5. Ontario Securities Commission, News Release, "OSC Sets Out Expectations for Businesses Planning to Operate Peer-to-Peer Lending Websites" (19 June 2015), available here.

6. OSFI Guideline B-10, Outsourcing of Business Activities, Functions and Processes (Revised March 2009), available here.

7. Payments Canada, Developing a Vision for Canada's Payments Ecosystem, Draft for Consultation, April 20, 2016, p. 4.

8. Regulations Amending Certain Regulations Made Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2016 SOR/2016-153 June 17, 2016, available here.

9. For the U.K. example see the Financial Conduct Authority, "Regulatory Sandbox" (Nov. 2015) available here.

10. E.g. the Australian Securities & Investment Commission's Innovation Hub, details of which are available here.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2016

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Pat Forgione
Robert M. Scavone
In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.